Uber paid hackers to keep data breach secret, says sources

Uber, the ride-hailing smartphone app, suffered a data breach last year in which over 57 million customers and 600,000 drivers had their personal information stolen by a 20-year-old hacker from Florida.

Now, in a statement released on the 2016 attack, Uber said that it paid two hackers $100,000 in ransom to destroy the data of the company’s 2016 hack and keep the breach quiet, Reuters reported. It also did not notify those who were affected by the breach.

According to the statement, the hack was performed by two people on a third-party cloud service. The rideshare company did not disclose any more information except that the hacker is a 20-year-old man from Florida.

The stolen information included names and driver’s license numbers as well as rider names, email addresses and mobile phone numbers. However, no information regarding location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth have been stolen, Uber said. Affected drivers will get free credit monitoring and identity theft protection.

“None of this should have happened, and I will not make excuses for it,” Uber’s current CEO Dara Khosrowshahi said in the statement. It was revealed that even he was not aware of the 2016 incident until “recently”.

On November 21, 2017, Uber had announced about the data breach that took place last year. Newly appointed Uber CEO Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, following an investigation that first alerted Uber’s board about the hack.

According to Khosrowshahi, the incident should have been disclosed to regulators when it was discovered last year, Reuters reported.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures,” Uber said in a statement.

Sources told Reuters that former CEO Travis Kalanick knew about the 2016 hack and “bug bounty” payment in November of last year. However, who made the final decision to authorize the payment to the hacker and to keep the breach secret is still unclear.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it,” Khosrowshahi said of the breach.

Kalanick was aware of the breach and “bug bounty” payment in November of last year. Uber’s “bug bounty” service is hosted by HackerOne, a company that offers its platform to several tech companies, the report said. Bug bounty services are typically used by security researchers to report software weaknesses.

However, it appears that the hacker stole the information first and was then retroactively entered into the bug bounty. In other words, the Uber executives who knew about the breach used the bug bounty so that they could pay it and pretend it was all part of IT security protocol.

The company did not want to disclose that they had been hacked and would have probably not acknowledged it too, had it not been for the investigation conducted by the board last month.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter. Similarly, Kalanick, who stepped down as Uber CEO in June, refused to comment on the matter, according to his spokesman.

Katie Moussouris, a former HackerOne executive, told Reuters that Uber’s payout and silence at the time was extraordinary under such a program.

“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.

Five states and multiple countries are investigating the matter, to find out if the company had to notify consumers or government agencies after breaches according to the law.